Re: My Top 3 Check Point CLI commands

Here some:

fwaccel stats -s why? to check acceleration status on FW

cphaprob -a ifwhy? when troubleshooting cluster, i verify all interfaces are UP and the Virtual IP address for the cluster interfaces.

cpwd_admin listwhy? great way to explain the CP watchdog- run the command with watch -d, and from another terminal terminate one of the PID, and observe how the watchdog bring it back.and its also a great way to see that everything is up

Fetches the policy from the management station named mastername. You can also use localhost as a way to reload the previously installed policy on the gateway. Note this is not to be confused with fw fetchlocal -d directory which is used in troubleshooting policy installation issues.

push_cert –s Cust_CMA –u admin –p adminpw –o examplegw –k test123

This is probably a command you haven't seen before and there's not even a public SK on it

It is used on the management to establish SIC with a newly installed security gateway without using SmartConsole or SmartDashboard, making it extremely useful in automation scenarios.

Arguments are as follows:

Switch

Description

–s Cust_CMA

Management or CMA IP/hostname (can be localhost)

–u admin

Username of admin user in SmartConsole/SmartDashboard

–p adminpw

Password of admin user specified above

–o examplegw

Name (in SmartConsole/SmartDashboard) of gateway to establish SIC with

–k test123

SIC one-time-password (should match what was specified on the gateway during first-time wizard)

Re: My Top 3 Check Point CLI commands

fw ctl affinity -l -v -r is a useful command when you're attempting to finetune the affinity of an IRQ to an interface. This is especially useful when looking at the amount of traffic received by an interface that deserves more "horsepower" and should not be sharing CPU time with other interfaces. This command will list what interface is connected to what IRQ to what core. "fw ctl affinity -s" will subsequently allow you to set the values.

Note that Multi Queue enabled interfaces will not show up as they are assigned "automagically"

Re: My Top 3 Check Point CLI commands

Re: My Top 3 Check Point CLI commands

This command allowed me to execute commands, transfer files etc with a remote gateway without needing credentials. I was able to use it to copy a new shadow file to the remote gateway when password was lost/corrupted.

Re: My Top 3 Check Point CLI commands

Lots of good ones so far, but just to be different the following commands are somewhat obscure but certainly come in handy occasionally (yes I'm well aware of the -f option for #1 and #2 but using it makes the commands take forever to execute):

This will show the top ten source IPs hogging slots in the connection table in descending order, however you will need to manually convert the IP addresses displayed from hex to decimal like so: 0a1e0b53 = 10.30.11.83. For the top 10 destinations, substitute $4 for $2 in the awk command above.

2) How many concurrent connections are currently using a particular Hide NAT address and how close are we to the 50k concurrent connection limit? Going over the 50k limit causes the new traffic to be dropped and the infamous "NAT Hide failure - there are currently no available ports for hide operation" message. Edit: The 50k limit can be surpassed by setting up what I call a "many to fewer" NAT, see my post in the following thread:

Divide the number reported by 2, and you have your answer. The result must be divided by 2 because each post-NATted connection is represented by 2 flows, one outbound (c2s) and one inbound (s2c). Also the NAT IP address must be converted from the dotted quad format to hexadecimal as shown.

3) show routed cluster-state detailed

An undocumented clish command introduced in R77.30 that shows a concise timeline of ClusterXL failover events in a single display. Very handy when trying to correlate unexpected ClusterXL failovers to external network events, or trying to determine if unexplained failovers occur with any suspicious regularity that may point to the real culprit. Definitely beats trying to pore through a sea of Control events (grey wrench icon) in the firewall logs!